3 Answers
3

By the definition of a honey pot, no, they are not a prevention tool. Honeypots are a tool for behavioral analysis (by seeing what kind of data they are after), slowing an attacker down (by giving them large amounts of noise to manipulate), or fingerprinting an attacker (you have a copy of all the files in the honeypot, and you can compare their downloads to yours).

A honeypot is only available to the attacker after they have compromised your network. If it isn't the attackers first stop, they may not get there during their attack.

Does anyone employ honeypots as practice? Yes, I personally know of several companies that handle medical documents that do. Some military nets use them as well.

Directly, they are not. They can provide several that indirectly assist in preventing attacks, however. For researchers, honeypots are a great way to learn about attack behavior.

For a network administrator, honeypots can entice an attacker's attention away from more valuable systems and alert you that some level of compromise has already occurred. This may allow you to address an attack before real data loss occurs if the system is well-monitored.

Preventing attacks? No. But, I use honeypots within my networks as monitoring and alert tools and one on the Internet for research.

Internal honeypots are low-cost and easy to maintain and they supplement the other monitoring tools I have in place. If there is a hole in my monitoring or someone has circumvented my efforts, the honeypot exists as a passive indicator of unauthorized activity. It also serves as a 'high-water mark' for potential intrusions. If there is an incident, but the honeypot is not touched, I can make some assumptions as to the extent of the breach. If the honeypot is touched at all, then I know to escalate the incident immediately. With an internal honeypot, there are no 'false-positives'.

External honeypots are very useful for research. I get to see what hackers do, watch trends and techniques and learn up-to-date hacking methods. I find them more educational than any class I have taken. In addition, there are rare cases when I have been able to personally identify a hacker and make a 'proactive' response.

I like Kippo because it offers high interactivity and allows me to replay the attack keystroke by keystroke, which is more informative than I thought it would be. It is easy to extend and customize. It also provides high entertainment value watching new hackers get taunted by the software.